Internet Worms

Definition of Internet Worms

The most basic definition of an internet worm is mischievous code that
attempts to propagate over networks. The term "worm" itself has its origins
in a science fiction story called The Shockwave Rider written by John Brunner
in 1975[1]. It should be noted that worms aren't
inherently bad by nature; the early worms were developed as tools to aid
computers. However, it soon became apparent that they could easily harness
a destructive force.

Internet worms are automated intrusion agents; they will attack a vulnerable
host, infect it, and then use it as a base to attack further vulnerable
targets. Worms differ from viruses in their approach; viruses generally
expose human weaknesses, tricking the user into initiating the virus. Worms
however, more subtly attack the technical weaknesses of a host. They also
differ in design, a virus attaches onto existing programs while a worm
will run independently.

As discussed later in this article, there have been several worms that
have given the practice of creating internet worms popularity, most famously
Robert Morris' 1988 worm. This was not the first worm, nor the last, but
it was the worm that managed to dominate the front pages for over a week
and thus secure its place in the wall of fame of internet worms. This worm
gave the concept notoriety that surely inspired others to follow in his
footsteps.

Efforts have been made to model the behaviour of worms as they propagate.
Cliff Zau's paper "Monitoring and Early Warning for Internet Worms" uses
the following discrete model.

is the number of host infected in real time.

is the pair wise rate of infection.

is the infection rate.

The graph[3] of number of hosts infected versus
time clearly shows a slow build up stage before an incredibly quick propagation
phase before finally completing with a slow finishing stage. This should
highlight the devastating effect that worms have; they can in general be
blocked and killed off once we know of their existence.

When a worm designer is aware of a particular platform weakness, they
will exploit it, usually through stealth and speed the worm will successfully
propagate. Eventually a vaccine is created and the platform flaw is patched.
Should the worm designer have malicious intentions the damage done could
be horrific, in terms of money and data loss.

So why are worm based intrusions persistent? Two main reasons are ease
and penetration; they will continue to work in the developer's absence
and can aggressively attack many networks at speed.

Reconnaissance mechanisms allow the worm to survey the world around it
and determine information to allow it to identify targets. The attack capabilities
are how the worm gains entry; most common exploits are buffer overflows
or cgi-bin errors. An important point is that worms are predominantly aimed
at a particular platform due to the fact that making it cross platform
would result in significantly larger programs. A system of nodes is useless
unless they can be controlled. The command interface allows the system,
using a master slave relationship to allow an intruder access to manually
command the system. Communication capabilities are vital to allow sharing
of reconnaissance information over distributed nodes. The worm will also
keep records of its members and their locations. Worms like and good piece
of software are adaptable, they maintain a set of functions that allow
the worm to adapt to new targets.

Worms frequently attack hosts by buffer overflow. This is where a user-provided
input is stored in memory of fixed size. Languages such as C have no memory
management or protection systems so if the input is excessively long it
will over write other data. This input may be created in such a way as
to insert arbitrary code into the running process inheriting existing privileges.

History of Internet Worms

This is a brief overview of some of the major events in the history of
Internet worms.

As already stated in our definition the first incarnations of internet
worms weren't the malevolent threat they are today. These early worms (developed
in 1982 at Xerox's Palo Alto Research Center by John Shock and Jon Hepps)
were in fact, designed to perform useful tasks within a network.[1]

Despite the evident usefulness of these programs it was also clear that,
in the wrong hands they could quite easily be turned to malevolent uses.
(E.g. all the computers at Xerox's research centre crashed when one of
the overnight worms malfunctioned). Due to these problems the profile of
worm research diminished for a number of years, until later in the 1980's
when the malevolent impact of worms began to rear its ugly head.

The first true Internet worm (and probably the most famous) was released
on 2nd November 1988 by Robert T. Morris. It attacked Sun and DEC UNIX
systems attached to the
Internet and within 24 hours had invaded 4,000-6,000 machines.[5][6]

Morris originally intended the program to be a benign proof of concept;
however it had a massive effect due to a bug in the code. When it reinfected
a machine, there was a fixed chance that the new infection wouldn't quit,
causing the number of running worms on a machine to build up, thereby causing
a heavy load on many systems. Even on a modern machine, such bugs would
have a similar effect of overwhelming the system. This caused the worm
to be quickly noticed and caused significant disruption. Most subsequent
worms have mechanisms to prevent this from happening.[4]

Morris' worm received massive media attention and brought the dangers
posed by worms to the world's attention. Techniques Morris used in his
worm laid a base for future worms to build and improve upon.

The Melissa Worm was first recognised on 26th March 1999, it was the first
major mail worm - a form of worm which was to become hugely prevalent.
Melissa was written by David L. Smith and named after a lap dancer he met
in Florida.

Melissa contained a Word macro virus (Macro viruses are computer viruses
that use an application's own macro programming language to distribute
themselves) [7], but unlike previous viruses of
this type it could spread in a semi-active manner. It attacked Microsoft's
Outlook and Word programs (Any time an infected user attached a Word document
to an email, this email sent to the first 50 addresses in the recipients'
address book if they use Outlook as the mail client). [8][4]

Melissa shut down Internet mail systems that got clogged with infected
e-mails propagating from the worm and Smith received a 20 month prison
sentence for his trouble. A large number of mail worms followed Melissa
and continue to be a significant threat.

In 2001 active worms made a return to prominence. The first of these
worms to be noticed was called Code Red. Code Red was a relatively simple
worm which affected computers running Microsoft's Internet Information
Server (IIS) web server. It infected over 350,000 servers in just over
12 hours. Once it infected a system Code Red waited for 20-27 days to launch
denial of service attacks on several fixed IP addresses. (Including the
IP address of the White House). [4][9][10]

Other examples of this new breed of active worm include Code Red 2 and
Nimda. On 25th January 2003 the SQL Slammer worm caused on of the largest
and fastest spreading Denial of Service attacks ever. In less than 10 minutes
the Slammer spread worldwide, the worm took down 5 of the 13 DNS root servers
along with tens of thousands of other servers, and impacted a multitude
of systems ranging from ATM systems to air traffic control to emergency
systems. [11]

How to Combat Internet Worms?

Current security measures against internet worms predominantly take the
approach of observing the effects of worms and trying to ensure they don't
happen again. In essence, they are in a constant state of catch-up, systems
need constant updating to be aware of new threats. This may be a great
money-spinner for security software vendors who charge subscriptions for
updates, but is this an acceptable situation for internet users, business
and personal alike? The fact remains that there are no proven alternatives
at the moment. However, there seems to be a growing feeling that a new
approach must be taken, that prevention is better than cure. A recently
released product claims to be both 100 percent accurate and does not need
updates [12]. This product works by monitoring
system calls and tries to block anything unusual. This product is based "on
the principle that malicious code always violates basic software conventions" [13].
A very bold assumption, you'll agree. Recent history has shown us that
the very nature of both internet worms and the people that develop them
is that they will adapt to any situation. With the window of time between
the discovery of a vulnerability and the development of a worm to exploit
it getting smaller all the time [14], we must
face up to the possibility that they will prove impossible to eradicate.

The sheer amount of companies that develop technologies and products
that are web-based or that can be spread across a network has provided
an enormous amount of loopholes to allow worm programs to be developed.
A recent worm targeted Windows XP systems that ran the open-source database
program MySQL [15], by exploiting a backdoor within
the database code. In situations like this the line is blurred as to who
exactly is responsible for the security breach. The movement towards intrusion
prevention has thus taken on even greater impetus. The idea of segmenting
a network around security in order that any potential threats can be isolated
is one that is currently being explored [14].
The current movement towards XML as the main language of the Web and its
underlying technologies has provided a brand new set of problems for internet
security [16]. The SQL compatibility techniques
have made it imperative that security be not confined to the network layer
alone, but rather spread across all the application layers.

Many industry experts accept the fact that the development of a worm
that could cause greater devastation than anything experienced before is
almost inevitable. Theoretically, the so-called Warhol worms could infect
all vulnerable servers in 30 seconds, rather than 15 minutes [17].
The recent Slammer worm showed the very real possibilities of such at threat.
It is estimated, that in a worst case attack, the US could suffer $50 billion
in direct damages [18]. Pessimists think that
enemy nations or terrorist groups could have the facilities to sniff out
an as yet unknown Windows vulnerability and exploit it with dire consequences.
The existence and discovery of a potentially huge vulnerability in the
Windows operating system is not impossible. Being the dominant OS on worldwide
computer systems has made Windows the number one target for worm developers
who want their worms to cause the most damage. The 10 most effective worms
of 2004 targeted Windows machines [19]. While
this trend is not going to change for a while, despite rumours that Microsoft
are preparing to enter the market of providing security software directly,
Windows machines are far from the only system at risk. Indeed, there was
an alarming growth in 2004 in worms that targeted mobile phones and PDA's [20].
IBM has identified this threat as a possible major attack in 2005 [21].
Thus, it can be seen how woefully inadequate current security measures
are when dealing with internet worms. Not only are they constantly playing
catch-up with worm developers, they are failing to deal with the fact that
as soon as new technologies are developed and deployed they become viable
targets.